Security audit

Clash Controller

Security checks across malware telemetry and agentic risk

Overview

This skill appears locally focused and not malicious, but it can change proxy routing through broad triggers and a hardcoded Clash API secret that users should review carefully.

Install only if you intentionally want this skill to control Clash proxy routing. Replace the hardcoded controller secret with your own private configuration, avoid LAN exposure unless you need it, and use explicit Clash-specific commands with confirmation before enabling, disabling, or switching proxy modes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented behavior is inconsistent with the reported implementation: it allegedly starts/stops Clash, but actually changes proxy routing mode and also lists nodes and uses a hardcoded API token. This mismatch can mislead users and downstream agents into granting broader trust or invoking actions they do not understand, while the embedded secret increases the chance of unauthorized local API control if exposed.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger phrase at this location is broad enough to match ordinary conversation, which can cause accidental invocation of a skill that modifies proxy settings. Unintended proxy changes can disrupt connectivity, reroute traffic, or alter security posture without clear user intent.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Ambiguous phrases like generic status or switching language are insufficiently scoped and may be activated by unrelated requests. In a skill that controls system proxy behavior, that ambiguity raises the risk of accidental execution and unintended network-routing changes.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The skill hardcodes a Bearer secret directly in source code and uses it to control the local Clash API. If the skill code is exposed, copied, logged, or inspected by another local component, that credential can be reused to reconfigure proxy behavior, inspect settings, or redirect traffic through attacker-controlled routes via the local API.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal